Community discussions

MikroTik App
 
elbob2002
Member Candidate
Member Candidate
Topic Author
Posts: 253
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Zerotier Immediate Gateway Unknown

Fri Sep 03, 2021 3:24 pm

I initially brought this issue up on the Zerotier release announcement thread. It was suggested to start a dedicated one.

I have two routers here that I'm testing Zerotier with. It's a long established Zerotier network that I've been using for a few years now.

Router 1 is a Chateau12
Router 2 is an RB3011

The Chateau connected to my Zerotier network with no issues via LTE. However the RB3011 is displaying the following:
ZTMTIK3011.PNG
The Zerotier Network is not being advertised yet so it's not a routing issue. You can see from the screen shot that it says Immediate Gateway Unknown.

Bother routers are on the same LAN however that should not be an issue.

The Chateau is connecting to Zerotier via LTE and the RB3011 is bridged to an ADSL modem and connects to the internet via PPPoE.

If I set the default route of the Chateau to the RB3011 it still works correctly.

Firewall rules on both routers are straightforward. There are no custom mangle or raw rules other than some custom RAW drop rules on the RB3011. Even with these disabled the same issue occurs.

Both routers also have the recommended firewall rules at the top of the filter page as recommended on the Mikrotik Zerotier Documentation page. About the only difference is on the RB3011 the Zerotier interface is *31 and on the Chateau it is *13

The RB3011 does have 3 EoIP tunnels two of which use IPsec however the IPsec policies only apply to the tunnels and no other interfaces.

I have removed the Zerotier package on the RB3011, rebooted and reinstalled it. After another reboot still the issue again persists.

MRU on the RB3011's PPPoE interface was manually configured to 1492. Removing the manual setting and allowing it to default to 1480 still results in the same Immediate Gateway error.

It has me baffled as I can't see any reason why it won't work!
You do not have the required permissions to view the files attached to this post.
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: Zerotier Immediate Gateway Unknown

Fri Sep 03, 2021 3:33 pm

This *<number> stuff usually means that there is a reference to an unkown interface.
Have you tried renaming the zerotier interface?
Does it look different in the cli?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Zerotier Immediate Gateway Unknown

Fri Sep 03, 2021 3:48 pm

This is a Winbox bug. Check console, it must be OK there. Since Zerotier was just added, Winbox doesn't support it in some places yet
 
elbob2002
Member Candidate
Member Candidate
Topic Author
Posts: 253
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: Zerotier Immediate Gateway Unknown

Fri Sep 03, 2021 3:52 pm

Interesting! Even though I looked a hundred times I never noticed the difference.

The chateau as you can see below is different. On the Zerotier Control Panel they all have the same configuration.

Maybe it's just the RB3011 hasn't correctly picked up its configuration from Zerotier though.

Edit - Although I did have the same issue joining a completely new Zerotier Network that i set up for testing.


RB3011 -
Flags: D - dynamic, X - disabled; R - running 
 0    name="zerotier1" mac-address=XX:XX:XX:XX:EF:50 arp-timeout=auto network="XXXXXXXXX"

Chateau -
Flags: D - dynamic, X - disabled; R - running 
 0  R name="zerotier1" mac-address=XX:XX:XX:XX:XX:XX arp-timeout=auto network="XXXXXXXXX" instance=zt1 bridge=no dhcp=no network-name="RS1" 
      status="OK" type="PRIVATE" 
 


The first expanded entry is the Chateau (10.147.20.29), the lower one is the RB3011 (10.147.20.1)
ZT Cpanel.PNG
You do not have the required permissions to view the files attached to this post.
 
elbob2002
Member Candidate
Member Candidate
Topic Author
Posts: 253
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: Zerotier Immediate Gateway Unknown

Fri Sep 03, 2021 4:19 pm

Odd.

If I disable Rule14 it works! Yet the Chateau also has the same rule.
FWRules.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Zerotier Immediate Gateway Unknown

Fri Sep 03, 2021 4:24 pm

disabling that rule is very dangerous. better add accept rule from zerotier1 interface
 
elbob2002
Member Candidate
Member Candidate
Topic Author
Posts: 253
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: Zerotier Immediate Gateway Unknown  [SOLVED]

Fri Sep 03, 2021 4:26 pm

Finally resolved.

It seems the Zerotier package needs to communicate on the localhost address. Adding the following rule to the top of my input rules resolved my issue:
/ip/firewall/filter/add chain=input dst-address=127.0.0.1 action=accept
 
elbob2002
Member Candidate
Member Candidate
Topic Author
Posts: 253
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: Zerotier Immediate Gateway Unknown

Fri Sep 03, 2021 4:28 pm

disabling that rule is very dangerous. better add accept rule from zerotier1 interface
Indeed. I only disabled it for a moment to test if it might have been a firewall issue. And indeed it was! See the post I marked as resolved.
 
hapoo
newbie
Posts: 45
Joined: Wed Apr 24, 2019 1:35 am

Re: Zerotier Immediate Gateway Unknown

Fri Sep 03, 2021 9:09 pm

Thanks, I was having the same issue (on a 4011 with a regular DHCP isp connection), and that rule fixed it. Is it secure though?
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Zerotier Immediate Gateway Unknown

Fri Sep 03, 2021 10:31 pm

That rule is part of the default configuration:
/ip firewall
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
 
elbob2002
Member Candidate
Member Candidate
Topic Author
Posts: 253
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: Zerotier Immediate Gateway Unknown

Sat Sep 04, 2021 10:00 am

Thanks, I was having the same issue (on a 4011 with a regular DHCP isp connection), and that rule fixed it. Is it secure though?
It's secure as in it connects to the Zerotier controller. After that any connection to anything else on your zerotier network is peer to peer so nothing goes through any third party servers.
 
elbob2002
Member Candidate
Member Candidate
Topic Author
Posts: 253
Joined: Tue May 15, 2018 8:15 pm
Location: Ireland

Re: Zerotier Immediate Gateway Unknown

Sat Sep 04, 2021 10:01 am

That rule is part of the default configuration:
/ip firewall
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
It is on ROS 7. I upgraded my RB3011 from 6.48.4 and I never had a default config on it which is how I missed it.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Zerotier Immediate Gateway Unknown

Sat Sep 04, 2021 4:07 pm

No problem, was just replying to point out that the rule is safe to add.

Who is online

Users browsing this forum: AmazonAWS [Bot], gkl1368 and 16 guests